Re: Security in our local network
On Sat, Aug 15, 2015 at 01:48:15PM +0200, Sven Arvidsson wrote: On Sat, 2015-08-15 at 11:59 +0200, B. M. wrote: - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) I would start right there. If you can't get firmware updates, get rid of it and replace it. Preferably with something that runs OpenWRT or similar, or do careful research for a manufacturer that takes security seriously. Most cheap routers have terrible security, some come with backdoors out of the box [1] There seems to be a trend towards bad actors targeting and taking over routers, so this is a very real risk. I would have thought they didn't have enough spare time away from the filming of the TV shows I've seen them in. :) -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X
Re: Security in our local network
On Mon, Aug 17, 2015 at 10:23:49AM +0900, Joel Rees wrote: On Sat, Aug 15, 2015 at 6:59 PM, B. M. b-m...@gmx.ch wrote: Hi list, - Not really a debian problem, but I value the knowledge of you all :-) Well, these are common technical problems that many of us face, and some/many of the strategies and solutions are very much related to debian. With all due respect, you'll face these problems no matter what Linux distribution you run. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X
Re: Security in our local network
Le 15 août 2015 à 17:05, Martin Skjöldebrand mar...@skjoldebrand.eu a écrit : On Sat, 2015-08-15 at 11:59 +0200, B. M. wrote: - Configure apache to require SSL client authentication - not yet possible because the owncloud sync client doesn't support that yet If I'm not totally confused the default setting for owncloud is the connect through https:, I certainly have a https:// address for my owncloud instance. Also, you might consider encrypting the file space for users. I mean SSL client authentication, so a client has to use _his_ certificate to prove _his_ identity to the server! This isn't supported by the owncloud sync client yet.
Re: Security in our local network
Le 15 août 2015 à 13:48, Sven Arvidsson s...@whiz.se a écrit : On Sat, 2015-08-15 at 11:59 +0200, B. M. wrote: - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) I would start right there. If you can't get firmware updates, get rid of it and replace it. Preferably with something that runs OpenWRT or similar, or do careful research for a manufacturer that takes security seriously. Most cheap routers have terrible security, some come with backdoors out of the box [1] There seems to be a trend towards bad actors targeting and taking over routers, so this is a very real risk. 1. My router did, but I never used it with anything besides OpenWRT: http://www.h-online.com/security/news/item/Treacherous-backdoor-found-in-TP-Link-routers-1822720.html The router has to be used to access the cable network. And it get's updates, but I don't have any control about it (e.g. I don't even know about updates or security holes; there's no information at all). So what I should do is buying another router, put it behind the first one and use only that second one to build my home network?
Re: Security in our local network
Quoting B. M. (b-m...@gmx.ch): Le 15 août 2015 à 13:48, Sven Arvidsson s...@whiz.se a écrit : On Sat, 2015-08-15 at 11:59 +0200, B. M. wrote: - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) I would start right there. If you can't get firmware updates, get rid of it and replace it. Preferably with something that runs OpenWRT or similar, or do careful research for a manufacturer that takes security seriously. Most cheap routers have terrible security, some come with backdoors out of the box [1] There seems to be a trend towards bad actors targeting and taking over routers, so this is a very real risk. 1. My router did, but I never used it with anything besides OpenWRT: http://www.h-online.com/security/news/item/Treacherous-backdoor-found-in-TP-Link-routers-1822720.html The router has to be used to access the cable network. And it get's updates, but I don't have any control about it (e.g. I don't even know about updates or security holes; there's no information at all). So what I should do is buying another router, put it behind the first one and use only that second one to build my home network? (please wrap your lines) I prefer that companies supply a modem rather than a cheap router, leaving the customer to choose their own router. It also makes the latter independent of the type of service (cable/adsl) supplied to the modem.. Cheers, David.
Re: Security in our local network
On Sat, Aug 15, 2015 at 6:59 PM, B. M. b-m...@gmx.ch wrote: Hi list, - Not really a debian problem, but I value the knowledge of you all :-) Well, these are common technical problems that many of us face, and some/many of the strategies and solutions are very much related to debian. I'd like to get external input to my security considerations... Free advice and comments from the peanut gallery. (Mine are the latter.) Hardware / Network situation: - Family in an apartment, several other apartments in the same building Do you mean you're allowing access to people in other apartments? (Contract issues quickly become security issues.) Or that there are others in the apartment building who might try to access your wireless router? - Internet by our cable network operator; router offered for free, providing WLAN to us Would they allow you to buy a modem of your own? In some countries, you can find cable modems at electronics stores. Although, if the router gives you a web-page where you can set the ip address and do some simple NAT and firewall kinds of things, update options are often there, somewhere. If the web page is only accessible from a wired ethernet connection, that's a good indication, usually. Sort-of. Not giving access to the ability to turn off updates is considered a security strategy by many providers, and that may be for good reason. They may actually consider your modem/router as part of the equipment they own responsibility for. But do they answer your questions about the updates if you ask them? In a way that shows someone at the company understands that updates are even necessary and desirable to them? - Several clients use WLAN exclusively (no ethernet ports) - Several computers and tablets, one of them running several services: I assume you are not running the services on a tablet, unless it's one you don't have to jailbreak to load your own OS on, or at least you aren't using a jailbreak app you picked up somewhere on the web? ;- (I am still more than a little piqued at Google for failing to do more to support the GPL freedoms of the Android community, not to mention their interface with the rest of the community. No shell except for shell apps that we have to trust some other programmer to squeeze in with gum tape and bailing wire? Libraries that hit segfaults when you try to redirect stdin inside your program? That's just begging for an exploit that can't be addressed. And lack of some means for wired ethernet access (not including the non-solution of ethernet-over-USB, and, no) is just one of the things I'm miffed about. At least the Nexus models should have some waterproofed ethernet port, even if the physical form (thickness of the tablet) requires a different physical connector. If they can get a USB connector on many of the tablets, they could have done something about ethernet. -- Since I seem to be in a very negative mood today, I'll mention that I don't mean MTP or debug-over-USB when I say ethernet-over-USB above. And MTP is a word that should be banned from the list, if banning it would not make it impossible to talk about transferring files. Files. Not media. Sheer social engineering. -- So my comments about the server not being on the tablet are only half-joking, even though they aren't quite relevant here -- other than being a big part of the reason we don't see more debian on tablets. Which is what the short-sighted manufacturers think they want.) - dovecot for mail: automatic download of all mails (no long-term archiving online - privacy!). The server, anyway, is connected to the modem/router by wire? Other clients (laptops) use offline imap to access my dovecot instance - owncloud for calendar, contacts, files: to synchronize files between different machines, synchronized per user I, personally, am not a fan of owncloud-like stuff. But I'm still doing that kind of thing ad-hoc, so maybe I shouldn't be critical. - I created a CA and (sub-) certificates for S/MIME as well as a server certificate used for apache (owncloud, dovecot) Well, PKI is what it is, and, unfortunately, everyone sort of uses it because ... they think there is no other option. But they don't really use it because they don't really understand it. Which is not surprising because the people who invented it still don't really understand it. Which is not surprising because the trust mechanisms are not susceptible to systematic solution. System is anethema to trust. What is necessary is a framework under which non-systemized trust mechanisms can be created ad-hoc by the people who will trust them, in other words, by the people who will use them. PKI could almost be that, but such mechanisms don't make money for the big vendors. Concerns: - WLAN: SSID hidden, strong password, but I can't really trust the router, can I ? Stealth mode is almost useless, as others have pointed out. The password there is not a password, it's a non-protectable token
Re: Security in our local network
If you have an old spare machine, you can experiment easily and at no cost by making it a dedicated router/firewall. A good choice is IPCop, which almost anyone can install and configure in less than an hour. RLH
Re: Security in our local network
On Sun, 2015-08-16 at 10:09 +0200, B. M. wrote: The router has to be used to access the cable network. And it get's updates, but I don't have any control about it (e.g. I don't even know about updates or security holes; there's no information at all). So what I should do is buying another router, put it behind the first one and use only that second one to build my home network? I guess it depends on how much you trust your ISP? E.g. do they provide updates on time, how do they access the router, do they use the same password or key for all customers... For some users having someone else take care of updates might be nice, so you might be better of than many others. Do you have no control at all over the router? What happens if you need to open a port? -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 6FAB5CD5 signature.asc Description: This is a digitally signed message part
Security in our local network
Hi list, - Not really a debian problem, but I value the knowledge of you all :-) I'd like to get external input to my security considerations... Hardware / Network situation: - Family in an apartment, several other apartments in the same building - Internet by our cable network operator; router offered for free, providing WLAN to us - Several clients use WLAN exclusively (no ethernet ports) - Several computers and tablets, one of them running several services: - dovecot for mail: automatic download of all mails (no long-term archiving online - privacy!). Other clients (laptops) use offline imap to access my dovecot instance - owncloud for calendar, contacts, files: to synchronize files between different machines, synchronized per user - I created a CA and (sub-) certificates for S/MIME as well as a server certificate used for apache (owncloud, dovecot) Concerns: - WLAN: SSID hidden, strong password, but I can't really trust the router, can I ? - Someone who has access to our local network could get access to mails or files (owncloud) - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) - How can I maximize security? Ideas: - Configure apache to only accept SSL connections, because of WLAN sniffing (done) - Configure dovecot to only accept SSL connections, because of WLAN sniffing (done) - Configure apache to require SSL client authentication - not yet possible because the owncloud sync client doesn't support that yet - apache: restrict allowed IP addresses using .htaccess file to 192.168.1.1/24. Does this provide security / make sense? - dovecot: is restricting the allowed IP addresses for dovecot possible as well? Does this provide security / make sense? - Any other measures? Thanks for your input! B.M.
Security in our local network
Hi list, - Not really a debian problem, but I value the knowledge of you all :-) I'd like to get external input to my security considerations... Hardware / Network situation: - Family in an apartment, several other apartments in the same building - Internet by our cable network operator; router offered for free, providing WLAN to us - Several clients use WLAN exclusively (no ethernet ports) - Several computers and tablets, one of them running several services: - dovecot for mail: automatic download of all mails (no long-term archiving online - privacy!). Other clients (laptops) use offline imap to access my dovecot instance - owncloud for calendar, contacts, files: to synchronize files between different machines, synchronized per user - I created a CA and (sub-) certificates for S/MIME as well as a server certificate used for apache (owncloud, dovecot) Concerns: - WLAN: SSID hidden, strong password, but I can't really trust the router, can I ? - Someone who has access to our local network could get access to mails or files (owncloud) - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) - How can I maximize security? Ideas: - Configure apache to only accept SSL connections, because of WLAN sniffing (done) - Configure dovecot to only accept SSL connections, because of WLAN sniffing (done) - Configure apache to require SSL client authentication - not yet possible because the owncloud sync client doesn't support that yet - apache: restrict allowed IP addresses using .htaccess file to 192.168.1.1/24. Does this provide security / make sense? - dovecot: is restricting the allowed IP addresses for dovecot possible as well? Does this provide security / make sense? - Any other measures? Thanks for your input! B.M.
Re: Security in our local network
On Fri, 14 Aug 2015 16:19:57 +0200 B. M. b-m...@gmx.ch wrote: Hi list, - Not really a debian problem, but I value the knowledge of you all :-) I'd like to get external input to my security considerations... Hardware / Network situation: - Family in an apartment, several other apartments in the same building - Internet by our cable network operator; router offered for free, providing WLAN to us - Several clients use WLAN exclusively (no ethernet ports) - Several computers and tablets, one of them running several services: - dovecot for mail: automatic download of all mails (no long-term archiving online - privacy!). Other clients (laptops) use offline imap to access my dovecot instance - owncloud for calendar, contacts, files: to synchronize files between different machines, synchronized per user - I created a CA and (sub-) certificates for S/MIME as well as a server certificate used for apache (owncloud, dovecot) Concerns: - WLAN: SSID hidden, strong password, but I can't really trust the router, can I ? - Someone who has access to our local network could get access to mails or files (owncloud) - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) - How can I maximize security? Ideas: - Configure apache to only accept SSL connections, because of WLAN sniffing (done) - Configure dovecot to only accept SSL connections, because of WLAN sniffing (done) - Configure apache to require SSL client authentication - not yet possible because the owncloud sync client doesn't support that yet - apache: restrict allowed IP addresses using .htaccess file to 192.168.1.1/24. Does this provide security / make sense? - dovecot: is restricting the allowed IP addresses for dovecot possible as well? Does this provide security / make sense? - Any other measures? It depends what you want to spend, and how much time you have to set it up. A two-NIC firewall machine between the router and the rest of the network (presumably your mail server is wired to the router, it's only clients that are wireless) will do a lot to minimise any security problems with the router, and give you detailed control of what protocols go in and out. A wireless access point inside the firewall (or even without the firewall) will allow your clients access without using the possibly suspect wireless capability of the router. You can leave the router wireless running for guests who need no access to your network, or better still, turn it on only when required. Running a freeradius server (pretty much all wireless routers/APs will work with 802.1x) will allow you to require digital certificates to be installed on wireless clients, other connections will be refused. You can run a web proxy on the firewall, and filter out any content you feel isn't safe for your clients. There are other possibilities, but it all requires a machine running at all times when Net access is required, which you may not be willing to do. I have a baby HP server which uses about thirty watts, which I'm willing to run continuously, but a low-power workstation or even laptop with a USB NIC added should also do the job. I've heard of people using a Raspberry Pi, but I don't think even the latest ones really have the computing power for the job, certainly not for a web proxy. The OS, obviously, is Debian Stable, preferably without X. If you make the step to a continuously-running server, you will think of all kinds of other things to do with it: mine is primarily a firewall and SMTP/IMAP mail server, but it also plays MP3s through the hi-fi system... -- Joe
Re: Security in our local network
Hi, On 08/15/2015 12:00 PM, B. M. wrote: - WLAN: SSID hidden, strong password, but I can't really trust the router, can I ? Hidden SSID probably just gives you a wrong sense of security. See here [1] for example. Cheers, Simon [1] http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/
Re: Security in our local network
On Sat, 2015-08-15 at 11:59 +0200, B. M. wrote: - I have no control over the router (firmware updates? security fixes? I assume it's really cheap ...) I would start right there. If you can't get firmware updates, get rid of it and replace it. Preferably with something that runs OpenWRT or similar, or do careful research for a manufacturer that takes security seriously. Most cheap routers have terrible security, some come with backdoors out of the box [1] There seems to be a trend towards bad actors targeting and taking over routers, so this is a very real risk. 1. My router did, but I never used it with anything besides OpenWRT: http://www.h-online.com/security/news/item/Treacherous-backdoor-found-in-TP-Link-routers-1822720.html -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 6FAB5CD5 signature.asc Description: This is a digitally signed message part
Re: Security in our local network
On Sat, 15 Aug 2015 07:34:55 -0400 Renaud (Ron) OLGIATI ren...@olgiati-in-paraguay.org wrote: On Sat, 15 Aug 2015 12:20:35 +0100 Joe j...@jretrading.com wrote: A two-NIC firewall machine between the router and the rest of the network (presumably your mail server is wired to the router, it's only clients that are wireless) will do a lot to minimise any security problems with the router, and give you detailed control of what protocols go in and out. Read again, he says his router has no ethernet port. - Several clients use WLAN exclusively (no ethernet ports) I took that to mean that some clients had no ethernet ports, he says 'several', not 'all'. Phones, tablets etc... -- Joe
Re: Security in our local network
Another thing to keep an eye on is WPS, Wi-Fi Protected Setup. It's quite easy to crack to gain the password. An informed user will turn off that feature. Except that some routers lie, and remains vulnerable. -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 6FAB5CD5 signature.asc Description: This is a digitally signed message part
Re: Security in our local network
On Sat, 15 Aug 2015 12:20:35 +0100 Joe j...@jretrading.com wrote: A two-NIC firewall machine between the router and the rest of the network (presumably your mail server is wired to the router, it's only clients that are wireless) will do a lot to minimise any security problems with the router, and give you detailed control of what protocols go in and out. Read again, he says his router has no ethernet port. Cheers, Ron. -- It is a typically Hohenzollern idea to believe that it is a crime for a country to defend itself after its army has been destroyed. -- Karl Marx -- http://www.olgiati-in-paraguay.org --
Re: Security in our local network
On Sat, 2015-08-15 at 11:59 +0200, B. M. wrote: - Configure apache to require SSL client authentication - not yet possible because the owncloud sync client doesn't support that yet If I'm not totally confused the default setting for owncloud is the connect through https:, I certainly have a https:// address for my owncloud instance. Also, you might consider encrypting the file space for users. /Martin s-- * This address is for technical mail lists only. For all other matters, please use my main address at the .org domain. *